Credentials Vault Documentation
HEAppE Middleware uses the Hashicorp Vault to store and manage sensitive Robot account HPC identity credentials (SSH keys, logins, passwords).
The Vault is deployed as a separate service into the Docker container within the HEAppE Middleware deployment procedure.
What is Vault?
HashiCorp Vault is an open-source tool designed to provide secrets management, data encryption, and access control. Vault helps organizations securely manage secrets like API keys, passwords, certificates, and other sensitive data, ensuring they are stored, accessed, and audited appropriately. It also provides dynamic secrets, which are generated on demand and have limited lifetimes, further enhancing security by reducing the window of exposure.
Why HEAppE Uses Vault?
HEAppE Middleware integrates HashiCorp Vault to securely store and manage sensitive credentials related to Robot accounts for High-Performance Computing (HPC) environments. These credentials may include SSH keys, usernames, passwords, and tokens, which are required for accessing HPC resources. Using Vault, HEAppE ensures:
Secure Storage: Credentials are encrypted and securely stored.
Access Control: Only authorized entities can access specific secrets.
Audit Logging: All access and operations are logged for audit and compliance.
How Does HEAppE Communicate with Vault?
HEAppE communicates with Vault using a specialized agent service. This service acts as an intermediary between HEAppE and Vault, handling authentication, requests, and secrets management.
Security Features
HashiCorp Vault offers several security features that are leveraged by HEAppE, including:
Dynamic Secrets: Secrets are generated on demand and have a limited lifetime.
Access Control Policies: Fine-grained access control to manage who can access which secrets.
Audit Logging: All access to secrets is logged for security and compliance purposes.
Vault Initialization
Before the HEAppE Middleware deployment, the Vault needs to be initialized and unsealed. Initialization is a one-time process that sets up the Vault’s encryption keys and other configuration settings. During initialization, the Vault generates the initial root token and unseal keys, which are required to unseal the Vault.
Vault Unsealing
Unsealing is a process that requires multiple unseal keys to unlock the Vault. This process is designed to prevent unauthorized access to the Vault. Vault seals itself after a restart or after a certain number of failed attempts to access it.
To unseal the Vault use the following commands:
Note
This workflow requires
ansible-vaultandjqto be installed.1. Create Ansible Vault file for storing HashiCorp secrets:
$ ansible-vault create /opt/heappe/projects/credentials2. Navigate to the Vault scripts directory:
$ cd heappe-core/HashiCorpVaultScripts3. Add execute permissions to the unseal script:
$ chmod +x *.sh4. Run the initialization script:
Usage: ./initHVault.sh <vault_password> [-p <path to vault file>] [-b <base path>] [-i <instance name>] This script initializes and configures HashiCorp Vault and appends generated credentials to an Ansible Vault file. Options: -p, --path Path to the existing or new Ansible Vault file (default: /opt/heappe/projects/credentials). -b, --base-path Base path for output files (default: ../../app/confs). -i, --instance-name Name of the section in the Ansible Vault file (default: Develop). vault_password Password to encrypt/decrypt the vault file (required). Example: ./initHVault.sh myVaultPassword -p /path/to/vault.json -b /path/to/base -i MyInstance Note: If configuration files do not exist in the specified base path, default configuration files will be created. Note: The script requires 'ansible-vault' and 'jq' to be installed.5. Example:
$ ./initHVault.sh myVaultPassword -p /opt/heappe/projects/credentials -b ../../app/confs -i Develop